Pluggable Authentication Modules (PAM)

pam_passwdqc is a simple password strength checking module for
PAM-aware password changing programs, such as passwd(1). In addition
to checking regular passwords, it offers support for passphrases and
can provide randomly generated passwords. All features are optional
and can be (re-)configured without rebuilding.

More information on pam_passwdqc and download links are available on
its dedicated page.

pam_mktemp is a PAM module that may be used with a PAM-aware login
service to provide per-user private directories under /tmp as part
of PAM session or account management.
When an interactive (shell) session is started, a directory is created
and the environment variables TMPDIR and TMP are set to the name of
the directory.

pam_tcb is part of the
Openwall GNU/*/Linux (Owl)tcb
suite implementing the alternative password shadowing scheme.
It also makes use of the password hashing framework introduced with
crypt_blowfish.
It should be used in place of modules such as pam_unix and pam_pwdb.

More information on the tcb suite and download links are available on
its dedicated page.

PAM has traditionally assumed that services doing authentication have
the ability to interact with the user. Unfortunately, this isn't true
for services that implement non-interactive and/or fixed protocols,
such as FTP and POP3. This is typically worked around by making the
flawed assumption that PAM_PROMPT_ECHO_ON requests the username and
PAM_PROMPT_ECHO_OFF requests the password.

With pam_userpass, this assumption is no longer required.
pam_userpass uses PAM binary prompts (only available in Linux-PAM) to
ask the application for the username and password specifically.

pam_userpass doesn't perform any actual authentication. An actual
authentication module should be stacked after pam_userpass and told to
use the authentication token (password) provided by pam_userpass.